Cyber Entropy Equals Vulnerability Entropy

We’ve reached the end of Cyber Entropy Month.? As a capstone, please join our webinar Bringing Order the Chaos of Cyber Entropy this Thursday, September 5th, at 12:00 PM EST.

Vulnerability Entropy

We’ve talked a lot about cyber entropy (you can find posts here, here, here, and here).? Yet when we talk about cyber entropy what we’re really talking about is vulnerability entropy.? All this growth in technology is creating an ever-growing number of vulnerabilities that can be exploited by the bad guys.?

It’s not just the technology that increases vulnerabilities.? It’s also your people because not only are you trying to navigate all this new technology, so is your staff, so are your customers, so are your vendors.? People make mistakes and the more you put on them, the more likely the chances are of a miscue.?

So, sure, continue your vulnerability scanning and patch management.? You need to keep the holes plugged as best you can. But just as important is security awareness training and creating a culture of ownership and responsibility.? Security audits help keep people on their toes and increases their awareness.? There’s nothing like a good deadline to bring people into focus.? Stress documentation and adherence to the documentation.? Process discipline is critical.? So is measurement.? You wrote all these great procedures that reduce your vulnerabilities.? Don’t let the documentation go stale or let your staff wander.? Discipline as much as anything will help limit your vulnerabilities.? And you need that discipline because…

Threat Entropy

There are an ever-increasing number of bad guys out there.? The rewards to them are too high ($5.2M per ransomware attack, last we checked) and the risks, for them, in many parts of the world are too low.? More threats are emerging daily and with the help of AI and now decades of experience, the sophistication is increasing exponentially.? We’re not dealing with Nigerian princes any longer.

You can’t control the external threat landscape.? Most organizations simply aren’t big enough to do any sophisticated threat hunting.? All you can do in response is remain vigilant and aware.?

It’s estimated, however, that 60% of breaches are caused or contributed to by insiders and that is a threat over which you can exert some level of control.? It starts by hiring the right people and utilizing background checks.? And as we mentioned in our post on access entropy, stay on top of moves, adds and changes.? Follow the principles of ‘least privilege’ and ‘need to know’.?

It is strange to say it, but it is heartening in some ways that more than half the threats are in house because in house is where we have the most influence.? Use it.

Risk Entropy

All of this cyber entropy can make it feel like you are wallowing in risk entropy.? Yet the truth is you are always immersed in risk.? Everything you do, every step you take, every time you sleep or eat or simply sit on your couch, you are facing some level or risk.? But in life we’ve all become adept at quickly evaluating risks and adjusting.? Anytime you walk down the stairs, you might fall and get injured.? That’s why you have a handrail.? That’s why you tie your shoes.? That’s why you go slow when your hands are full.

Do the same for your business.? Take a proactive approach to risk management.? Identify your risks, qualify and quantify them.? Then focus on mitigating those that are the greatest threat (like that rotted tree leaning over your bedroom).? One of the most practical and effective ways of bringing order to the chaos of risk entropy is through Risk Level Agreements (RLA).? These raise awareness, bring structure to risk evaluation, and establish risk treatment decisions and investments.? It’s also a particular area of expertise for use at Phenomenati, in case you want advice.

That’s it!? That’s all the cyber entropy.? Just five posts worth.? If you want to learn more about how to manage cyber entropy (and you should), come to our webinar on September 5th.? And if you want help with RLAs or bringing order to any part of this chaos, I’m always available.? I can be reached at [email protected] or check out our website.

Good luck!? And happy cyber entropy month!